Hello FC community, As Vadim has been experimenting further with Sony Ericsson J120 and K2x0 phones, uncovering more of their quirks, I couldn't shake the feeling that SE J120 seemed familiar, that I had seen something very similar before. So I took a closer look at SE J120 flash dumps (provided by Vadim - I don't have one of those phones here), and sure enough, I see the damning evidence I was looking for: SE J120 was made by the same ODM (Chi-Mei) as Motorola C168 and W220, with many of the same design decisions in terms of technical architecture.
Let's rewind for a moment to 2019-May. This time point was prior to my discovery of iWOW TR-800, I had a desire to produce a proper FreeCalypso modem module in a form factor like BenQ M32 or Huawei GTM900 (this desire has now been satisfied by rebranding iWOW TR-800 into FC Tango), and I was considering the possibility of using Si4210 RF transceiver instead of TI Rita for quadband GSM. (Remember the timeframe - prior to discovery of iWOW, we had no source of confidence for TI's legendary Leonardo+ design.) I was looking for some existing phone that used Si4210 (Aero II), and I knew about Motorola C168 and W220 from this wiki page: https://osmocom.org/projects/baseband/wiki/PotentialCalypsoTargets Some time around 2019-May I obtained samples of both C168 and W220. C168 was a disappointment: I had no success in gaining bootloader entry, or any other signs of life on the headset jack. W220 was more successful: I got in with fc-loadtool and dumped the flash. I also found schematics for W220; here they are, together with some flash dumps: https://www.freecalypso.org/pub/GSM/Mot_W220/ But the phone (Mot W220) was a disappointment in a different way. I was hoping to find a Calypso+Si4210 phone whose firmware architecture was pristine-unchanged from TI, except for integration of RF support for the different Silabs transceiver - then I could do some disassembly to see how Si4210 support was fitted into mostly-unchanged TI fw arch, then try running FC fw on the same hw, reusing original factory RF calibration, and test the whole thing on my CMU200... But nope, no such luck - the fw architecture of Chi-Mei (Mot W220 and others, as will be seen shortly) is altered beyond recognition, even worse than Compal. There is no TIFFS, no other identifiable FFS format, and I couldn't even tell from the flash dump where the boundaries lie between fw image vs factory data (RF cal etc) vs user data. My venture into Si4210 idea was set aside then, and later lost all relevance when we discovered iWOW TR-800, containing nothing less than a mass-produced version of TI's own legendary Leonardo+ core. Back to Sony Ericsson J120 - let's review some basic properties it shares in common with Motorola W220: * Silabs Aero II RF transceiver; * Calypso and Iota chips are in 0.5 mm ZPH/ZQW packages, rather than more classic 0.8 mm GHH/GGM; * Intel W18 MCP flash (28F640W18T on W220, 28F320W18T on J120); * Same incomprehensible fw structure seen in the flash dump: no TIFFS, no clear picture of where different parts are. At this point I knew I had to either prove or disprove my suspicion - so I did a little disassembly, comparing fw code around the flash boot entry point between Mot W220 and SE J120. And here is what I see: * The highly idiomatic nature of code around the flash boot entry point is exactly the same between these two non-TI firmwares: both use flash boot mode 0 (contrary to TI fw design), followed by code that disables the boot ROM mapping and executes a swi instruction, as if they are trying to be compatible with the old broken boot ROM version in Calypso C05 chips. The swi handler then jumps to the real flash boot entry point, and there once again we see the same highly idiomatic (won't arise by chance) code structure between the two firmwares. * The only significant diff in this boot entry code between the two firmwares is that SE J120 version includes a call to an extra function (Thumb code at 0x20E0, ARM call veneer at 0x348C) very early in the boot path. A quick look at this function (I didn't dig deep) strongly suggests that it is Ericsson-style EROM bootloader - I reason that Chi-Mei implemented this function for SE as a contractual requirement, whereas no similar requirement existed for Motorola. And now comes the smoking gun: both firmwares expect the external off-chip RAM (which I call XRAM in FC) to be at 0x02XXXXXX rather than the usual 0x01XXXXXX location - meaning that XRAM on SE J120 must be wired to Calypso nCS3 (instead of TI-standard nCS1) just like it is depicted on the schematics we found for Mot W220! This same oddball choice of XRAM chip select wiring cannot arise by chance, so we know that Mot W220 and SE J120 *had* to have been made by the same ODM. And we know that this ODM was Chi-Mei: Motorola's published (for service/repair shops) schematics helpfully name their ODM. :) So what about SE K200/K220? We still don't know which ODM made this phone, but it does NOT look like either Compal or Chi-Mei. Given some similarities to Pirelli DP-L10, it could have been Foxconn - but even then, the only *real* similarity between Pirelli DP-L10 and SE K2x0 is that both designs stick fairly close to TI's original, as opposed to changing it beyond recognition - hence with the common pieces coming from TI, it is entirely possible that the designers of SE K2x0 were some other conservative (in terms of fw arch changes) team that had no relation to the designers of Pirelli DP-L10 at Foxconn. So who knows... (There is a Russian expression for *exactly who* may know, but it contains a word that should not be used in polite company...) Hasta la Victoria, Siempre, Mychaela aka The Mother _______________________________________________ Community mailing list Community@freecalypso.org https://www.freecalypso.org/mailman/listinfo/community